Checking Pwned Passwords against Active Directory’s NTLM Hashes

Pwned Passwords is a great web service that lets you check your own password against millions of compromised and leaked password. It’s not only getting constantly updated by the owner, Troy Hunt but offers text-based downloadable files and API for anyone interested in building a 3rd party app.

Newly added to the list is the password hashes in NTLM format, which can be used to compare to the hashes in any AD environment. That’s a wonderful news to those mostly working in a Windows environment, myself included.

Here are the steps how this can be done. I personally haven’t got chance to test it myself but sure will in the near future.

  1. Download the entire 517M NTLM passwords either as a torrent or courtesy of Cloudflare aggressively caching them.
  2. Export AD hashes either using PowerShell or the built-in ntdsutil command line.
  3. Check out the Match-ADHashes PowerShell script on GitHub or the Compromise Checker by Semrau Security.

3 thoughts on “Checking Pwned Passwords against Active Directory’s NTLM Hashes

  1. How did you get the Match-ADHashes.ps1 script to work, I have my HIBP NTLM hash list, I created my AD hashlist using DSInternals, but I can get the script to work I run: Match-ADHashes -ADNTHashes C:\ADaudit\ADhashes.txt -HashDictionary C:\testhash.txt I get an error that says:

    Match-ADHashes : The term ‘Match-ADHashes’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + Match-ADHashes -ADNTHashes C:\ADaudit\ADhashes.txt -HashDictionary C: … + ~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Match-ADHashes:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

    Suggestion [3,General]: The command Match-ADHashes was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type: “.\Match-ADHashes”. See “get-help about_Command_Precedence” for more details.

    After This error I added .\ to the beginning of the above command and then nothing happens. no errors or anything, cursor moves down one line, waiting for a new command.

Leave a Reply

Your email address will not be published. Required fields are marked *